Filtered by CWE-295
Filtered by vendor Subscriptions
Total 1102 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2012-5817 2 Amazon, Codehaus 2 Ec2 Api Tools Java Library, Xfire 2024-11-21 7.4 High
Codehaus XFire 1.2.6 and earlier, as used in the Amazon EC2 API Tools Java library and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVE-2012-5810 1 Jpmorganchase 1 Chase Mobile 2024-11-21 5.9 Medium
The Chase mobile banking application for Android does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to overriding the default X509TrustManager. NOTE: this vulnerability was fixed in the summer of 2012, but the version number was not changed or is not known.
CVE-2012-5783 3 Apache, Canonical, Redhat 12 Httpclient, Ubuntu Linux, Enterprise Linux and 9 more 2024-11-21 N/A
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVE-2012-5518 1 Ovirt 1 Vdsm 2024-11-21 7.5 High
vdsm: certificate generation upon node creation allowing vdsm to start and serve requests from anyone who has a matching key (and certificate)
CVE-2012-4948 1 Fortinet 29 Fortigate-1000c, Fortigate-100d, Fortigate-110c and 26 more 2024-11-21 N/A
The default configuration of Fortinet Fortigate UTM appliances uses the same Certification Authority certificate and same private key across different customers' installations, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging the presence of the Fortinet_CA_SSLProxy certificate in a list of trusted root certification authorities.
CVE-2012-3446 1 Apache 1 Libcloud 2024-11-21 5.9 Medium
Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
CVE-2012-3037 1 Siemens 18 Simatic S7-1200, Simatic S7-1200 Cpu 1211c, Simatic S7-1200 Cpu 1211c Firmware and 15 more 2024-11-21 N/A
The Siemens SIMATIC S7-1200 2.x PLC does not properly protect the private key of the SIMATIC CONTROLLER Certification Authority certificate, which allows remote attackers to spoof the S7-1200 web server by using this key to create a forged certificate.
CVE-2012-2993 1 Microsoft 2 Windows Phone 7, Windows Phone 7 Firmware 2024-11-21 5.9 Medium
Microsoft Windows Phone 7 does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL server for the (1) POP3, (2) IMAP, or (3) SMTP protocol via an arbitrary valid certificate.
CVE-2012-1316 1 Cisco 1 Ironport Web Security Appliance 2024-11-21 5.9 Medium
Cisco IronPort Web Security Appliance does not check for certificate revocation which could lead to MITM attacks
CVE-2012-1096 2 Debian, Gnome 2 Debian Linux, Networkmanager 2024-11-21 5.5 Medium
NetworkManager 0.9 and earlier allows local users to use other users' certificates or private keys when making a connection via the file path when adding a new connection.
CVE-2012-0955 1 Canonical 1 Software-properties 2024-11-21 6.8 Medium
software-properties was vulnerable to a person-in-the-middle attack due to incorrect TLS certificate validation in softwareproperties/ppa.py. software-properties didn't check TLS certificates under python2 and only checked certificates under python3 if a valid certificate bundle was provided. Fixed in software-properties version 0.92.
CVE-2012-0867 4 Debian, Opensuse Project, Postgresql and 1 more 11 Debian Linux, Opensuse, Postgresql and 8 more 2024-11-21 N/A
PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters.
CVE-2012-0861 1 Redhat 3 Enterprise Linux, Enterprise Virtualization Manager, Rhev Manager 2024-11-21 N/A
The vds_installer in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when adding a host, uses the -k curl parameter when downloading deployUtil.py and vds_bootstrap.py, which prevents SSL certificates from being validated and allows remote attackers to execute arbitrary Python code via a man-in-the-middle attack.
CVE-2011-3061 1 Google 1 Chrome 2024-11-21 N/A
Google Chrome before 18.0.1025.142 does not properly check X.509 certificates before use of a SPDY proxy, which might allow man-in-the-middle attackers to spoof servers or obtain sensitive information via a crafted certificate.
CVE-2011-3024 1 Google 1 Chrome 2024-11-21 N/A
Google Chrome before 17.0.963.56 allows remote attackers to cause a denial of service (application crash) via an empty X.509 certificate.
CVE-2011-2874 1 Google 1 Chrome 2024-11-21 N/A
Google Chrome before 14.0.835.163 does not perform an expected pin operation for a self-signed certificate during a session, which has unspecified impact and remote attack vectors.
CVE-2011-2669 1 Mozilla 1 Firefox 2024-11-21 6.5 Medium
Mozilla Firefox prior to 3.6 has a DoS vulnerability due to an issue in the validation of certificates.
CVE-2011-2207 3 Debian, Gnupg, Redhat 3 Debian Linux, Gnupg, Enterprise Linux 2024-11-21 5.3 Medium
dirmngr before 2.1.0 improperly handles certain system calls, which allows remote attackers to cause a denial of service (DOS) via a specially-crafted certificate.
CVE-2011-0199 1 Apple 2 Mac Os X, Mac Os X Server 2024-11-21 5.9 Medium
The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 does not perform CRL checking for Extended Validation (EV) certificates that lack OCSP URLs, which might allow man-in-the-middle attackers to spoof an SSL server via a revoked certificate.
CVE-2010-4685 1 Cisco 1 Ios 2024-11-21 N/A
Cisco IOS before 15.0(1)XA1 does not clear the public key cache upon a change to a certificate map, which allows remote authenticated users to bypass a certificate ban by connecting with a banned certificate that had previously been valid, aka Bug ID CSCta79031.